raesene / bwapp Goto Github PK

The portal.php page returns a 302 redirect with a blank location. Some libraries (eg. Golang) fall into an error condition with this happens and the requests fail.

HTTP/1.1 302 Found Date: Mon, 20 Apr 2020 17:14:45 GMT Server: Apache/2.4.7 (Ubuntu) X-Powered-By: PHP/5.5.9-1ubuntu4.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Location: Connection: close Content-Type: text/html Content-Length: 23353

Golang error:
"Post http://localhost:3005/portal.php: 302 response missing Location value.

There's no ssii.shtml file to be found on bwapp, making the SSI directive on the .php page irrelevant.
What?
Did someone else encounter this issue? Everybody is happy and all solving that challenge on Youtube videos, but here I am - STUCK, and for no apparent reason.
Tried downloading older versions looking for that shtml file, but... nope! Guess I would have to create one myself, which should be of no problem, but shouldn't these learning platforms be plug & hack?
The bWAPP instance is running as a container which is being managed through Portainer.
Thank you!

Hello,

I am getting this error when trying to pull the image:

$ docker pull raesene/bwapp:latest
latest: Pulling from raesene/bwapp
8387d9ff0016: Pulling fs layer 
3b52deaaf0ed: Pulling fs layer 
4bd501fad6de: Pulling fs layer 
a3ed95caeb02: Waiting 
790f0e8363b9: Waiting 
11f87572ad81: Waiting 
341e06373981: Waiting 
709079cecfb8: Waiting 
55bf9bbb788a: Waiting 
b41f3cfd3d47: Waiting 
70789ae370c5: Waiting 
43f2fd9a6779: Waiting 
6a0b3a1558bd: Waiting 
934438c9af31: Waiting 
1cfba20318ab: Waiting 
de7f3e54c21c: Waiting 
596da16c3b16: Waiting 
e94007c4319f: Waiting 
3c013e645156: Waiting 
9ebbb7309b99: Waiting 
2ab4f0fac10b: Waiting 
error pulling image configuration: unknown blob

I already tried from several machines with no success. Is this a real bug or I am missing something?

The HTTP Response Splitting page does not seem to be working. Sending the attack http://localhost:3005/http_response_splitting.php?url=http://itsecgames.blogspot.com%0D%0AReferer%3agoogle.com does not do a redirect. Just a blank page is returned.

The script has no write access to passwords/accounts.txt

I run docker run -d -p 80:80 raesene/bwapp,
then I visit http://localhost,it redirects to /login.php,
the page shows Connection failed: Unknown database 'bWAPP';

thanks for your attention!

1: XML External Entity Attacks (XXE)
always show "An error occured!",
this is script

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
 <!ENTITY bWAPP SYSTEM "http://localhost/bWAPP/robots.txt">
]>
<reset><login>&bWAPP;</login><secret>blah</secret></reset>

and

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE copyright [
<!ENTITY test SYSTEM "123">
]>
<reset>
  <login>&test;</login>
  <secret>login</secret>
</reset>

look in the source code , then

include("security.php");
include("security_level_check.php");
include("connect_i.php");

$message = "";
$body = file_get_contents("php://input");

// If the security level is not MEDIUM or HIGH
if($_COOKIE["security_level"] != "1" && $_COOKIE["security_level"] != "2")
{

    ini_set("display_errors",1);

    $xml = simplexml_load_string($body);

    // Debugging
    // print_r($xml);

    $login = $xml->login;
    $secret = $xml->secret;

    if($login && $login != "" && $secret)
    {

        // $login = mysqli_real_escape_string($link, $login);
        // $secret = mysqli_real_escape_string($link, $secret);
        
        $sql = "UPDATE users SET secret = '" . $secret . "' WHERE login = '" . $login . "'";

        // Debugging
        // echo $sql;      

        $recordset = $link->query($sql);

        if(!$recordset)
        {

            die("Connect Error: " . $link->error);

        }

        $message = $login . "'s secret has been reset!";

    }

    else
    {

        $message = "An error occured!";
        **$message = $xml;**

    }

}

add code

$message = $xml;
find can not read xml entity,
so , how to solve

i already open php url include option

What happened? It was used to work.

docker logs bb6d46ad8c9c
standard_init_linux.go:211: exec user process caused "no such file or directory"

run.sh does not exist anywhere in the source code...

I simply ran the following commands

-> docker pull raesene/bwapp
-> docker run -it -p 8081:80 raesene/bwapp (as port 80 is occupied)
P.s, its the same if i run it in detached mode, I just used -it to see the logs

Please see if you can reproduce the same error and let me know if I am doing something wrong

OS Command Injection does not work at all because the dnsutils did not install.

It would be great if this works

Are the SSL challenges available with this docker solutions? e.g. Heartbleed? Since only port 80 is open, I presume this cannot be tested? Thanks.

File upload functionality doesn't appear to be working. You can verify this by uploading a malicious payload to the container via docker cp:

docker cp rev_shell.php <container name>:/var/www/html/images

and then calling it from your browser (with a listener running of course):

http://localhost/images/rev_shell.php